Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1498.002: Reflection Amplification

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.[1] This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.

Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS[2] and NTP[3], though the use of several others in the wild have been documented.[4] In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.[5]

EnterpriseT1498.002Sub-techniqueObject v1.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Reflection Amplification is a network denial-of-service behavior where traffic is reflected through third-party services and amplified before reaching the victim. For leaders, the issue is availability: public-facing applications, DNS, email, and web services can be degraded even when the organization’s own hosts are not compromised. The practical question is whether the business has enough network visibility, filtering, and response coordination to recognize and absorb abnormal high-volume inbound traffic before services become unavailable.

Executive priority

Prioritize this as an operational resilience and incident-readiness issue for internet-facing services across Windows, Linux, macOS, and IaaS environments. Because ATT&CK provides no native detection text for this sub-technique, executives should ask for evidence that teams can distinguish reflection amplification from normal traffic surges, have escalation paths with network and cloud providers, and can apply traffic filtering controls such as M1037 without disrupting legitimate users.

Technical view

This is an Impact sub-technique under Network Denial of Service. SOC and IR teams should validate monitoring for high-volume inbound traffic patterns associated with reflected/amplified protocols noted in the ATT&CK description, including DNS, NTP, and memcache-related traffic. Detection engineering should review DET0408 where available and confirm that network-flow, firewall, load balancer, DNS, and cloud-network telemetry can show sudden volume changes, protocol concentration, source distribution, and service degradation. Because the attack relies on third-party reflectors, endpoint telemetry alone is unlikely to be sufficient.

Likely telemetry

  • Network flow records such as NetFlow or equivalent traffic summaries
  • Firewall and network appliance logs for ingress filtering decisions
  • Cloud or IaaS network logs for public-facing workloads
  • Load balancer, reverse proxy, and edge service metrics
  • DNS service logs and query/response volume metrics where applicable

Detection direction

  • Baseline normal inbound traffic volume by service, protocol, and geography/source distribution so abnormal amplification patterns are visible.
  • Tune detections for sudden high-volume inbound floods where response sizes, protocol mix, or source diversity are inconsistent with normal use.
  • Correlate network telemetry with availability metrics; a traffic spike is most material when it coincides with latency, dropped connections, or service errors.
  • Validate coverage against DET0408, but do not assume coverage because the ATT&CK technique itself does not provide detection guidance.
  • Account for false positives from legitimate events such as product launches, backups, monitoring scans, or traffic shifts through cloud and edge services.

Mitigation priorities

  • Apply M1037 Filter Network Traffic as the primary control direction: restrict allowed ingress traffic to public-facing services where business requirements permit.
  • Review exposure of services and protocols commonly associated with amplification in the ATT&CK description, including DNS, NTP, and memcache-related traffic.
  • Coordinate filtering and response procedures across internal network teams, cloud/IaaS providers, edge providers, and incident response stakeholders.
  • Prepare operational playbooks for rapid traffic characterization, service prioritization, and controlled filtering during availability incidents.
  • Use tabletop or readiness reviews to confirm that mitigation actions preserve critical business services and create audit evidence for resilience planning.
Analyst notes and limits

The supplied ATT&CK object supports conservative framing around availability impact, network traffic reflection, amplification, Windows/IaaS/Linux/macOS platforms, and mitigation through network traffic filtering. The Cisco NetFlow external reference supports emphasizing network-flow analysis as a relevant evidence class. Relationship context also shows a detection strategy, DET0408, but no detailed detection logic was supplied in this prompt.

MITRE does not provide official detection text for this object in the supplied fields. The object does not identify specific adversaries, campaigns, active exploitation, or guaranteed detection methods. Local architecture, edge-provider telemetry, cloud logging, exposed services, and business service criticality are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

Reflection Amplification

Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target.[1] This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network.

Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS[2] and NTP[3], though the use of several others in the wild have been documented.[4] In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.[5]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1498 Network Denial of Service This object subtechnique of Network Denial of Service.
Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1037: Filter Network Traffic Enterprise subtechnique of · Technique T1498: Network Denial of Service Enterprise detects · Detection Strategy DET0408: Detection Strategy for Reflection Amplification DoS (T1498.002) Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1037: Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures:

Ingress Traffic Filtering:

- Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges.

Egress Traffic Filtering:

- Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected.

Protocol-Based Filtering:

- Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue.

Network Segmentation:

- Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems.

Application Layer Filtering:

- Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.4
Created
Modified
Raw hash
a0c8db516e7661ee...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.4 Current bundle a0c8db516e76…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Cloudflare ReflectionDoS May 2017

    Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection (attacks). Retrieved April 23, 2019.

    Open source URL
  2. [2]
    Cloudflare DNSamplficationDoS

    Cloudflare. (n.d.). What is a DNS amplification attack?. Retrieved April 23, 2019.

    Open source URL
  3. [3]
    Cloudflare NTPamplifciationDoS

    Cloudflare. (n.d.). What is a NTP amplificaiton attack?. Retrieved April 23, 2019.

    Open source URL
  4. [4]
    Arbor AnnualDoSreport Jan 2018

    Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill Kasavchnko, and Gary Sockrider of Netscout Arbor. (2018, January). Insight into the Global Threat Landscape - Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report. Retrieved April 22, 2019.

    Open source URL
  5. [5]
    Cloudflare Memcrashed Feb 2018

    Marek Majkowski of Cloudflare. (2018, February 27). Memcrashed - Major amplification attacks from UDP port 11211. Retrieved April 18, 2019.

    Open source URL
  6. [6]
    Cisco DoSdetectNetflow

    Cisco. (n.d.). Detecting and Analyzing Network Threats With NetFlow. Retrieved April 25, 2019.

    Open source URL
  7. [7]
    mitre-attack T1498.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use